Feature #962
closedCan I log the mac address of the source?
Description
Knowing the mac address can help us about knowing the attacker. So can suricata log the mac address? Like the -e option in snort? Thanks for help.
VJ Updated by Victor Julien over 12 years ago
We don't have a similar option. How are the mac addresses logged with -e in Snort?
VJ Updated by Victor Julien over 12 years ago
- Target version set to TBD
SL Updated by Song Liu over 12 years ago
In NFQ mode, we don't have MAC address, because it is layer 3.
AH Updated by Andreas Herz about 10 years ago
That's a feature request. Did anyone already looked into that? I did just test it with snort in sniffer mode (-vCd -i $DEVICE -e) which we don't have exactly, but could be useful in normal IDS mode as well.
AH Updated by Andreas Herz about 10 years ago
- Tracker changed from Support to Feature
- Assignee set to OISF Dev
VJ Updated by Victor Julien over 8 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Eric Leblond
- Target version changed from TBD to 70
VJ Updated by Victor Julien over 8 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
VJ Updated by Victor Julien about 8 years ago
At the team meeting in Amsterdam 2018 we agreed on the following:
for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)
Alerts will log based on packet, but can add mac addrs from flow too.
RH Updated by Raymond Hansen over 7 years ago
- Assignee changed from Eric Leblond to Sascha Steinbiss
VJ Updated by Victor Julien over 6 years ago
- Related to Bug #1711: eve: Ethernet Header Missing From Packet Field added
SS Updated by Sascha Steinbiss about 6 years ago
Just taking a look at this atm.
for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)Alerts will log based on packet, but can add mac addrs from flow too.
I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at p->flow in CreateJSONHeader and see if the *pktcnt values there indicate >1 packet?
Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code? FlowHandlePacketUpdate?
Thanks!
SS Updated by Sascha Steinbiss about 6 years ago
Sascha Steinbiss wrote in #note-11:
Just taking a look at this atm.
for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)Alerts will log based on packet, but can add mac addrs from flow too.
I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at
p->flowinCreateJSONHeaderand see if the*pktcntvalues there indicate >1 packet?Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code?
FlowHandlePacketUpdate?
I think I've at least found a starting point: https://github.com/satta/suricata/commit/ac09ed3d3b85c76c0bb38795efcb0ab11466f67b
VJ Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 6.0.0beta1